Add observables#

EclecticIQ Intelligence Center uses enrichers to automatically retrieve data that augments an entity intelligence value by adding more context. These details are stored as discrete pieces of information called observables.

Besides enrichment, you can also manually add observables to entities to augment their intelligence value with additional context.

Manually add observables#

To manually add an observable, do one of the following:

  • In the entity detail pane, click the menu icon More, and from the drop-down menu select Edit.

    In the entity editor, under Observables, click Observables.

  • In the side navigation bar click the create icon > Observable.

  • Search Search icon > GO TO SEARCH AND BROWSE > Observables > Create observable +.

In the Add observables view, fill out these fields:

Field

EIQ JSON field

Description

Type*

extracts[].kind

See Observable types

Values(s)*

extracts[].value

Enter one or more values. One obesrvable is created per value when you select Save.

If you enter more than one value, these values must comma-separated OR you must enter one value per newline. Do not use commas and newlines as value delimiters at the same time.

Maliciousness*

See Observable maliciousness.

See Observable maliciousness.

Source*

Set on parent observable-wrapper entity.

See Observable wrapper.

  1. From the Type drop-down menu, select the type of observable you are creating.

  2. From the drop-down menu, select the appropriate value to correctly describe the type of relationship between the parent entity and the embedded observable.

  3. In the Value(s) field, enter the values of the observable.

    If you enter multiple values, separate them with a comma (,).

  4. From the Maliciousness drop-down menu, select the maliciousness level.

  5. From the Source drop-down menu, select the data source associated with the observable.

  6. To store your changes, click Save; to discard them, click Cancel.

Note

These observable types are not available through the UI. These are only created through automatic extraction from entities, or through the REST API.

  • cce (Common Configuration Enumeration)

  • cve (Common Vulnerability Enumeration)

  • cwe (Common Weakness Enumeration)

  • rule (generic rule type)

  • snort

  • yara

(Recommended) Use the following instead:

  • Vulnerability entity to represent cce, cve, cwe

  • Indicator entities have a test mechanism component that can represent the generic rule type, snort, and yara.

Tip

To create observables with link names, see Observable link types.

Observable wrapper#

Entities provide context and the Source property for observables. However, when you Manually add observables, observables are created without an explicit entity to inherit context or properties from.

Instead, an invisible observable-wrapper entity is created to temporarily contain these entities. The Source assignment you make when manually adding observables is assigned to this observable-wrapper entity, allowing permissions to be correctly set for these observables through the Allowed sources in groups.

Caution

observable-wrapper entities cannot be accessed or modified through the normal operation of EclecticIQ Intelligence Center.

If you need to change the source or context for an observable that is provided by a linked entity, explicitly add that observable to a different entity instead.